Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

3 Answers

It sounds like your "source B" should be a lookup table instead of indexed data. You can define a lookup with a match_type for a given field of CIDR, which should let you maintain your source B as a simple CSV file that is used by Splunk to update your events.

Note that Splunk's CIDR matching rules are on the first matching CIDR entry in the lookup table, so I had to put more specific subnets of 11.0.0.0/8 first in the file, and I had to put 0.0.0.0/0 last in the file for it to work right.

UPDATE 09 Sept: Like any other lookup, you can enable this lookup to fire automatically for a sourcetype, source, or host. This is easily done via an update to props.conf. To enable this lookup for a sourcetype of foo, add to props.conf:

You can use scheduled searches to maintain such a lookup table from your indexed data (`outputlookup`). If this information changes over time, you can create and maintain a time-based lookup to get accurate results for events from the past.